[lug] Ftp port specifications.
John.Hernandez at noaa.gov
Thu Oct 19 10:35:37 MDT 2000
AFAIK, unless you use a hacked client, there's no way to force ftp
clients to a negotiate a specific ftp-data port. It will always grab an
unused random high-numbered port. This can cause a problem with strict
packet filter configs. If you're using ipchains with masquerading, the
answer is to use the ip_masq_ftp.o kernel module. If you use ipchains
in a traditional filtering router mode (without NAT), the IPCHAINS-HOWTO
at linuxdoc.org has some useful information. I've pasted some of the
pertinent info below. I'm not sure how much of this may be dated. I
recall having success on 2.2.x kernels with Michael Hasenstein's
ftp-data hack at http://www.suse.de/~mha/index-next.html and it seems
he's kept it current for 2.2.17 kernels.
SPF: Stateful Packet Filtering
ftp://ftp.interlinx.bc.ca/pub/spf is the site of Brian Murrell's SPF
project, which does connection tracking in userspace.
It adds significant security for low-bandwidth sites.
There's little documentation at present, but here's a post to the
mailing list in which Brian answered some questions:
> I believe it does exactly what I want: Installing a temporary
> "backward"-rule to let packets in as a response to an
> outgoing request.
Yup, that is exactly what it does. The more protocols it
understands, the more "backward" rules it gets right. Right
now it has support for (from memory, please excuse any errors
or omissions) FTP (both active and passive, in and out), some
RealAudio, traceroute, ICMP and basic ICQ (inbound from the ICQ
servers, and direct TCP connections, but alas the secondary
direct TCP connections for things like file transfer, etc. are
not there yet)
> Is it a replacement for ipchains or a supplement?
It is a supplement. Think of ipchains as the engine to allow
and prevent packets from travelling across a Linux box. SPF is
the driver, constantly monitoring traffic and telling ipchains
how to change it's policies to reflect the changes in traffic
Michael Hasenstein's ftp-data hack
Michael Hasenstein of SuSE has written a kernel patch which adds ftp
connection tracking to ipchains. It can currently
be found at http://www.suse.de/~mha/patch.ftp-data-2.gz
5.9 Future Enhancements
Firewalling and NAT have being redesigned for 2.4. Plans and discussions
are available on the netfilter list (see
http://lists.samba.org). These enhancements should clear up many
outstanding usability issues (really, firewalling
and masquerading shouldn't be this hard), and allow growth for far more
John Starkey wrote:
> Is there way, with the exception of asking all users to connect in
> non-passive mode, to prevent ftp from being assigned to a blocked port??
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
John Hernandez, Network Engineer --------------------------------------
US Department of Commerce tel: 303-497-6392
NOAA/OAR - Mailstop R/OM12 fax: 303-497-6005
325 Broadway e-mail: John.Hernandez at noaa.gov
Boulder, CO 80303 http://boulder.noaa.gov
More information about the LUG